{"id":"GHSA-6784-9c82-vr85","summary":"Injection of arbitrary HTML/JavaScript code through the media download URL","details":"### Impact\n\nThis vulnerability allows an attacker to inject arbitrary HTML/JavaScript code through the media download URL in Sulu CMS. It affects the SuluMediaBundle component. The vulnerability is a Reflected Cross-Site Scripting (XSS) issue, which could potentially allow attackers to steal sensitive information, manipulate the website's content, or perform actions on behalf of the victim.\n\n### Patches\n\nThe problem has not been patched yet. Users should upgrade to patched versions once they become available. Currently affected versions are:\n\n* 2.6.4\n* 2.5.20\n\n### Workarounds\n\nUntil an official patch is released, users can implement additional input validation and output encoding for the 'slug' parameter in the MediaStreamController's downloadAction method. Alternatively, configuring a Web Application Firewall (WAF) to filter potentially malicious input could serve as a temporary mitigation.\n\n### References\n\n* GitHub repository: https://github.com/sulu/sulu\n* Vulnerable code: https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/Controller/MediaStreamController.php#L106\n","aliases":["CVE-2024-47617"],"modified":"2024-10-17T16:30:51.124286Z","published":"2024-10-03T18:26:26Z","database_specific":{"github_reviewed":true,"github_reviewed_at":"2024-10-03T18:26:26Z","cwe_ids":["CWE-79"],"nvd_published_at":"2024-10-03T15:15:14Z","severity":"MODERATE"},"references":[{"type":"WEB","url":"https://github.com/sulu/sulu/security/advisories/GHSA-6784-9c82-vr85"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47617"},{"type":"WEB","url":"https://github.com/sulu/sulu/commit/a5a5ae555d282e88ff8559d38cfb46dea7939bda"},{"type":"WEB","url":"https://github.com/sulu/sulu/commit/eeacd14b6cf55f710084788140d40ebb00314b29"},{"type":"PACKAGE","url":"https://github.com/sulu/sulu"},{"type":"WEB","url":"https://github.com/sulu/sulu/blob/2.6/src/Sulu/Bundle/MediaBundle/Controller/MediaStreamController.php#L106"}],"affected":[{"package":{"name":"sulu/sulu","ecosystem":"Packagist","purl":"pkg:composer/sulu/sulu"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.0"},{"fixed":"2.6.5"}]}],"versions":["2.6.0","2.6.1","2.6.2","2.6.3","2.6.4"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-6784-9c82-vr85/GHSA-6784-9c82-vr85.json","last_known_affected_version_range":"\u003c= 2.6.4"}},{"package":{"name":"sulu/sulu","ecosystem":"Packagist","purl":"pkg:composer/sulu/sulu"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.0"},{"fixed":"2.5.21"}]}],"versions":["2.0.0","2.0.1","2.0.10","2.0.11","2.0.12","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.1.0","2.1.0-RC1","2.1.0-RC2","2.1.1","2.1.10","2.1.11","2.1.12","2.1.13","2.1.14","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.2.0","2.2.0-RC1","2.2.1","2.2.10","2.2.11","2.2.12","2.2.13","2.2.14","2.2.15","2.2.16","2.2.17","2.2.18","2.2.19","2.2.2","2.2.3","2.2.4","2.2.5","2.2.6","2.2.7","2.2.8","2.2.9","2.3.0","2.3.0-RC1","2.3.0-RC2","2.3.1","2.3.10","2.3.11","2.3.12","2.3.13","2.3.2","2.3.3","2.3.4","2.3.5","2.3.6","2.3.7","2.3.8","2.3.9","2.4.0","2.4.0-RC1","2.4.1","2.4.10","2.4.11","2.4.12","2.4.13","2.4.14","2.4.15","2.4.16","2.4.17","2.4.18","2.4.19","2.4.2","2.4.20","2.4.3","2.4.4","2.4.5","2.4.6","2.4.7","2.4.8","2.4.9","2.5.0","2.5.0-alpha1","2.5.1","2.5.10","2.5.11","2.5.12","2.5.13","2.5.14","2.5.15","2.5.16","2.5.17","2.5.18","2.5.19","2.5.2","2.5.20","2.5.3","2.5.4","2.5.5","2.5.6","2.5.7","2.5.8","2.5.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-6784-9c82-vr85/GHSA-6784-9c82-vr85.json","last_known_affected_version_range":"\u003c= 2.5.20"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}